{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-48788: Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-48788","status":"final","version":"1","initial_release_date":"2026-06-16T22:29:38.877Z","current_release_date":"2026-06-16T22:29:38.877Z","revision_history":[{"date":"2026-06-16T22:29:38.877Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-48788 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-48788"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-48788"},{"category":"external","summary":"https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp","url":"https://github.com/umputun/remark42/security/advisories/GHSA-4c8j-mgm4-qqvp"},{"category":"external","summary":"https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8","url":"https://github.com/umputun/remark42/commit/78d6de6bce1e961f023969da3ec8a00dd80c9ae8"},{"category":"external","summary":"https://github.com/umputun/remark42/releases/tag/v1.16.0","url":"https://github.com/umputun/remark42/releases/tag/v1.16.0"}]},"product_tree":{"branches":[{"category":"vendor","name":"umputun","branches":[{"category":"product_name","name":"remark42","branches":[{"category":"product_version","name":">= 1.6.0, < 1.16.0","product":{"name":"umputun remark42 >= 1.6.0, < 1.16.0","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:umputun:remark42:\\>\\=_1.6.0\\,_\\<_1.16.0:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-48788","title":"Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing","notes":[{"category":"description","text":"Remark42 is a self-hosted comment engine for blogs, articles, or any other place where readers can add comments. Versions 1.6.0 through 1.15.0 contain a Cross-Site Scripting (XSS) vulnerability exploitable through content-type spoofing. The Remark42 image proxy fetches an arbitrary remote URL and re-serves the response from Remark42's own origin. During the download phase, the proxy determines whether the resource is an image by inspecting only the Content-Type header advertised by the remote server, never examining the actual bytes; during the serving phase, it instead derives the response Content-Type by sniffing those bytes with http.DetectContentType. An attacker can exploit this inconsistency by hosting a URL that advertises Content-Type: image/png while returning an HTML/JavaScript body: the download check accepts it as an image, the serving path sniffs the body and emits Content-Type: text/html, and the browser renders the attacker-controlled HTML/JavaScript as a document within Remark42's origin. Exploitation requires no Remark42 account on the target instance; the attacker only needs to host the malicious upstream URL and deliver the proxy link to a victim by any means, such as email, direct message, or a link on another website. This issue has been fixed in version 1.16.0.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N","baseScore":8.2,"baseSeverity":"HIGH"},"products":["CSAFPID-1"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1"]}]}]}